Shadow Talk Update – 12.02.2018

With the 2018 Winter Games beginning this week, the Digital Shadows Research Team focused on threats to those traveling to South Korea in this episode of Shadow Talk. There was also a roundup of the most recent cyber security news.

Malware in Winter Olympics spearphishing campaign identified

Anti-virus security company McAfee published a report detailing four variants of malware linked to the targeting of organizations associated with the XXIII Winter Games in South Korea. The variants were identified as “Gold Dragon”, “Brave Prince”, “Ghost419” and “RunningRat”. During the games themselves, we expect there to be a rise in cybercriminal activity, achieved through point of sale malware infections at hospitality, leisure and retail locations, ATM skimming, banking fraud and scam emails. VIPs travelling to the event are advised to use alternative forms of payment like chip and pin, pre-paid and pre-capped cards. Travellers should also opt for Virtual Private Network (VPN) tunnelling when connecting to company networks and corporate accounts, especially on public Wi-Fi.

Operation Pzchao: not your typical espionage campaign

The espionage-driven campaign Operation Pzchao has affected multiple entities across government, technology, education and telecommunications in North America, Russia, Oceania and Asia since 2016. Victims received emails containing a Visual Basic Script (VBScript) file, which retrieved second-stage payloads: a Bitcoin mining application, the credential harvester “Mimikatz”, and variants of the “Gh0st” remote-access trojan (RAT). Digital Shadows analysts casted doubt on the reported attributions to a Chinese state-linked advanced persistent threat (APT) group — the use of a Bitcoin miner, inconsistencies in the reported distribution method and use of a widespread RAT tool with no additional custom malware are not typical of a highly coordinated, state-linked group.

Adobe zero-day vulnerability exploited in attacks against South Koreans

The South Korean Computer Emergency Response Team (CERT) warned that a critical Adobe vulnerability was exploited in attacks targeting South Koreans involved in geopolitical research. Spearphishing emails were the only known vector of the attacks, which were attributed to a North Korean threat group. The emails distributed a variant of the “ROKRAT” trojan, which has reconnaissance and information-stealing capabilities. Adobe has issued security updates for the vulnerability, identified as CVE-2018-4878. Further exploitation attempts of this flaw are highly likely.

Denial of service vulnerability discovered in WordPress platform

A vulnerability identified in the WordPress online publishing platform could enable an attacker to conduct denial of service attacks. The researcher who identified the flaw claimed that requests for large JavaScript or Cascading Style Sheet files could be sent repeatedly to sites, resulting in the denial of legitimate traffic. WordPress has indicated it does not plan to patch the flaw, although exploitation of this vulnerability could potentially reverse this decision. The researcher released POC code; and secondary reporting suggested a small number of exploitation attempts had been detected. Further attempts are considered highly likely to occur.

On Wednesday 7 February, the U.S. Department of Justice unveiled an indictment from 31 October 2017 against 36 individuals associated with the Infraud carding forum. This was a result of an operation known as “Shadow Web”. Although Infraud was a significant player in the carding ecosystem, there are still many more forums and Automated Vending in operation, and the closure of one site will mean criminal actors will migrate to other forums. Therefore, the threat posed to organizations by carding fraud remains the same. Our research also indicated that some sites that were run by vendors on the Infraud Forum are still active.